From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Pirko Date: Thu, 07 Jul 2016 08:39:22 +0000 Subject: Re: [patch -next] mlxsw: spectrum_router: fix a use after free Message-Id: <20160707083922.GE2009@nanopsycho.orion> List-Id: References: <20160707082027.GB16742@mwanda> In-Reply-To: <20160707082027.GB16742@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Dan Carpenter Cc: Jiri Pirko , Ido Schimmel , netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Thu, Jul 07, 2016 at 10:20:28AM CEST, dan.carpenter@oracle.com wrote: >mlxsw_sp_fib_entry_destroy() frees "fib_entry" but we dereference it on >the next line. > >Fixes: 61c503f976b5 ('mlxsw: spectrum_router: Implement fib4 add/del switchdev obj ops') >Signed-off-by: Dan Carpenter > >diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c >index e084ea5..adb481a 100644 >--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c >+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c >@@ -1652,8 +1652,8 @@ static void mlxsw_sp_router_fib4_add_info_destroy(void const *data) > struct mlxsw_sp_fib_entry *fib_entry = info->fib_entry; > struct mlxsw_sp *mlxsw_sp = info->mlxsw_sp; To be consistent with the rest of the flows, I would rather do: struct mlxsw_sp_vr *vr = fib_entry->vr; mlxsw_sp_fib_entry_destroy(fib_entry); mlxsw_sp_vr_put(mlxsw_sp, vr); I can send the fix or I can leave it up to you. Thanks.